In recent years, it has become clear that legislation such as the GDPR and, more recently, the NIS2 Directive has led to stagnation, confusion, and hesitation within organizations. In both cases, the root cause lies not in the intent of the legislation, but in the way it is interpreted and implemented. Vague definitions, broad obligations, and open standards often leave organizations uncertain about what is or isn’t permissible. As a result, investments are postponed, technologies are not implemented, and the risk of non-compliance actually increases.
This whitepaper demonstrates that solutions do exist which structurally contribute to both compliance and operational simplicity. Using a practical example — the Palm-ID Card, a newly developed biometric access card that fundamentally differs from conventional solutions — it illustrates how technology, designed from the ground up with privacy and security by design, can resolve many of the structural issues posed by legislation instead of merely managing them.
Structural Challenges in GDPR and NIS2
The GDPR requires organizations to handle personal data carefully and to be fully accountable for it. However, in practice:
- Core concepts such as “legitimate interest,” “appropriate measures,” and “data minimization” are legally vague.
- Processing already occurs as soon as a card number is linked to a person, timestamp, or behavior.
- Many organizations lack full visibility into how data is processed in external systems.
As a result, organizations attempt to manage risks through documentation, Data Protection Impact Assessments (DPIAs), and processor agreements, but rarely ask the fundamental question: Is this processing even necessary?
NIS2: Technical and Organizational Measures Without Clear Guidance
NIS2 imposes similar obligations for securing network and information systems, but:
- Leaves it up to organizations to determine what is “appropriate.”
- Shifts risks onto suppliers through supply chain responsibility.
- Requires demonstrable security without providing technical guidelines.
Again, this vagueness leads to hesitation and uncertainty. While NIS2 explicitly aims to strengthen cyber resilience, there is a significant risk that organizations will become bogged down in paperwork and procedures without achieving actual risk reduction.
Palm-ID Card as an Example of Risk Mitigation by Design
The Palm-ID Card is an example of a technology that has been designed from the outset according to the principles of privacy by design, security by design, and minimal data exposure. Rather than adapting existing solutions to comply with legislation, the Palm-ID Card was developed by asking the fundamental question: How can we provide secure access without processing personal data or making systems vulnerable?
Design Choices That Enable Compliance
- The card operates fully stand-alone and is not connected to a network.
- Biometric data is stored exclusively on the card and is never shared externally.
- Upon a successful biometric match, an encrypted number is generated.
- Only the client’s access control system determines the linkage to an individual.
- No logging is performed unless the client explicitly chooses to do so.
Why This Approach Works Under GDPR and NIS2
- No central storage means no risk of data breaches in case of system intrusions.
- No network connection means no vulnerability to remote attacks.
- No processing by the supplier means no need for processor agreements or DPIAs.
- No standard logging means minimal privacy impact and compliance with retention periods.
Because the Palm-ID Card knows nothing, records nothing, and shares nothing, it also has no legal obligations to account for anything. The product facilitates access — not identity. And that makes it fundamentally different from almost every other access solution.
From Compliance to Design Choice
Both GDPR and NIS2 emphasize responsibility: not only for complying with rules but also for substantiating choices. The Palm-ID Card aligns seamlessly with this by reducing risks at the source:
- No personal data → no processing → no obligations
- No network → no vulnerabilities → no threats under NIS2
- No logging → no storage policy → no retention conflict
These design choices make the Palm-ID Card not only legally attractive but also operationally simple and future-proof. The result is a product that does not hinder compliance but renders many regulatory requirements unnecessary through its intrinsic safety and simplicity.
Conclusion
The stagnation around GDPR and NIS2 is not due to unwillingness but to a lack of clarity. In both cases, the principle holds: those who can avoid risks do not need to manage them.
The Palm-ID Card demonstrates that technology, if well designed from the ground up, can contribute to peace of mind, certainty, and simplicity in an increasingly complex environment.
Organizations would do well to stop searching for solutions that attempt to circumvent or fit within the law and instead invest in products that render regulation redundant by eliminating risks at the source.